[Openswan Users] Openswan uses only the last defined connection

Peter McGill petermcgill at goco.net
Wed Jan 28 13:57:59 EST 2009

When using PSKs and road warriors (right=%any) all connections must use the same PSK.
PSKs cannot be defined by id in the secrets file, they must use IP address (or %any).
This is because the PSK is sent before the id, so it doesn't know which PSK to compare
to except by IP address.

You can solve this by using RSA keys instead of PSKs which is more secure anyway.
With RSA keys the id is sent with the key and the whole problem is avoided.
RSA keys are the default for Openswan. See doc/install.html and doc/config.html,
ipsec newhostkey and ipsec showhostkey for details on using RSA keys.

I believe it is also possible to pass the id with PSKs with aggressive mode, but
as this weakens your security further, I don't recommend it.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Stefan Guenther
> Sent: January 28, 2009 1:35 PM
> To: users at openswan.org
> Subject: [Openswan Users] Openswan uses only the last defined 
> connection
> Hi,
> we are currently using Openswan 2.4.7 on openSUSE 11.0 (X86-64).
> The ipsec.conf looks as follows:
> version 2.0
> config setup
> 	interfaces=%defaultroute
> 	klipsdebug=none
> 	plutodebug=none
> 	uniqueids=no
> 	forwardcontrol=yes
> conn %default
> 	keyingtries=3
> 	disablearrivalcheck=yes
> 	type=tunnel
> 	pfs=yes
> 	authby=secret
> 	keyexchange=ike
> 	left=217.7.231.XX
> 	leftsubnet=
> 	leftid=217.7.231.XX
> conn user1
> 	right=%any
> 	rightsubnet=
> 	rightid=@user1.firma.de
> conn user2
> 	rightid=@user2.firma.de
> 	rightsubnet=
> include /etc/ipsec.d/examples/no_oe.conf
> And here is the /etc/ipsec.secrets:
> 217.7.231.xx @user1.firma.de: PSK "dummy1"
> 217.7.231.xx @user2.firma.de: PSK "dummy1"
> #217.7.231.xx %any: PSK "dummy1"
> There are no error messages when I start ipsec.
> We use the Greenbow VPN client to connect to this gateway, but I can 
> only use the details for connection user2 and this only works, when I 
> remove the # from the last line of ipsec.secrets.
> If I use the rightid and ip for connection user1, I get the following 
> error messages:
> #1: Main mode peer ID is ID_FQDN: '@user1.firma.de'
> #1: no suitable connection for peer '@user1.firma.de'
> But when I remove connection user2 the connection for user1 
> works perfectly.
> This isn't my first ipsec configuration, but I'm completely confused, 
> what's wrong with this configuration??
> Thanks for any help or hint.
> Stefan
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list